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Abstract. The GMR-2 cipher is a kind of stream cipher currently being used in some Inmarsat satellite phones. 
It has been proven that such cipher can be cracked using only one frame known keystream but with a moderate 
executing times. In this paper, we present a new thorough security analysis of the GMR-2 cipher. We first study 
the inverse properties and the relationship of the cipher’s components to reveal a bad one-way character of the 
cipher. Then by introducing a new concept called “valid key chain” according to the cipher’s key schedule, we 
for the first time propose a real-time inversion attack using one frame keystream. This attack contains three 
phases: (1) table generation (2) dynamic table looks-up, filtration and combination (3) verification. Our analysis 
shows that, using the proposed attack, the exhaustive search space for the 64-bit encryption key can be reduced 
to about 2 13 when one frame (15 bytes) keystream is available. Compared with previous known attacks, this 
inversion attack is much more efficient. Finally, the proposed attack are carried out on a 3.3GHz platform, and 
the experimental results demonstrate that the 64-bit encryption-key could be recovered in around 0.02s on average. 
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1 Introduction 

1.1 Backgrounds and the GMR-2 Cipher 

With the rapid evolution and development of 4G technologies, mobile phone systems are available worldwide 
nowadays, still it is difficult to build a complete mobile network in some remote areas, such as outlying desert 
areas, oceans, and mountains. Thus, to fill the gaps left behind by radio-based technologies, satellite phones 
have been widely used in these areas. Currently, the commonly used satellite communication standards are 
mainly developed by international standards organization ETSI [7], including the GMR-1 standard and the 
GMR-2 standard. For instance, Thuraya phones are based on the GMR-1 standard, while the Inmarsat 
phones adopt GMR-2 standard. 

Given that the confidentiality is a very crucial aspect in satellite communications, the encryption algo- 
rithms in the satellite phones should be strong enough to withstand various eavesdropping risks. For mobile 
application scenario, many symmetric ciphers were developed and adopted as the cryptographic components 
for secure communications, e.g., A5, SNOW, and ZUC, and their security were sufficiently evaluated in past 
years [2, 6, 11, 12, 14-16]. However, the GMR cryptographic algorithms are not included in the officially pub- 
lished GMR standards, and the details of these satellite cipher algorithms were non-public until the German 
research team Driessen et al. uncovered the GMR-1 and the GMR-2 cipher by reverse engineering in 2012 
[4,5]. Their analysis results illustrate that both two ciphers are stream ciphers. In particular, the GMR-1 
cipher is a proprietary variant of GSM A5/2 algorithm [4], thus the cryptanalytic methods against the A5/2 
algorithm [1,3] can almost be well-adopted to it. The GMR-2 cipher is an entirely newly designed stream 
cipher, however, it has been found to be insecure for two types of known plaintext attacks. Driessen et al. 
proposed a known plaintext attack against it for the first time based on the read-collision technique [4] 
according to the key-scheduling features of the GMR-2 cipher. The time complexity of such attack is about 
2 18 with approximately 50 ~ 65 bytes of keystream. Li et al. further put forward a low data complexity 
attack method called the dynamic guess-and-determine attack [13] which can break the GMR-2 cipher by 
guessing about 28 bits on average when 15 bytes of keystream are available. 
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1.2 Main Contribution and the Outline 

Generally speaking, stream ciphers firstly generate keystreams by implementing a series of complex crypto- 
graphic transformation on the initial vectors and the encryption-key, and then XOR the keystreams with 
plaintexts to obtain the ciphertexts. Therefore, to resist known plaintext attack, a vital requirement of 
stream ciphers is the one-way property, i.e., it must be difficult for the adversary to derive the encryption- 
key from the keystream through inversion procedure. According to [8-10], Golic et al. proposed an inversion 
attack methods against the keystream generator consisting of a linear feedback shift register and a nonlinear 
filter, and proved the effectiveness of such attack in some cases. 

In this paper, we study the inverse properties of the GMR-2 cipher to show a bad one-way character of 
such cipher, then by introducing a new concept “valid key chain”, we propose what we call the inversion 
attack against the GMR-2 cipher. Our proposed attack consists of three major phases: (1) table generation, 
(2) dynamic table looks-up, filtration and combination, (3) verification. With the help of an extra 6KB 
memory storage, this attack can reduce the exhaustive search space from 2 64 to about 2 13 on average when 
one frame (15 bytes) keystream is available. This indicates that the inversion attack is very efficient and 
practical which could lead to a real time crack on the GMR-2 cipher. The experimental results on a 3.3GHz 
platform demonstrate that the 64-bit encryption-key can be completely retrieved in around 0.02s. 

This paper is organized as follows: a brief introduction to the GMR-2 cipher is recalled in Section 2. 
Section 3 and 4 analyse the inverse properties as well as the relationship of the the three components of the 
GMR-2 cipher. Section 5 proposes the attack strategy and details the attack procedure. The experimental 
results and the attack complexity will be subsequently analysed in Section 6. Finally, Section 7 gives a 
concise summary of this paper. 

2 Description of the GMR-2 Cipher 

The GMR-2 cipher is a kind of stream cipher with 64-bit key-length. As shown in Fig. 1, the internal 
states of the cipher include a 8-byte shift register S = (SV,<f?6, ■■■ ,Sq), a 8-byte encryption-key register 
K = (K 7 , Kq, ■ ■ ■ ,Kq), a counter c E {0, 1, • • • ,7}, and a toggle-bit t E {0,1}. They are transformed 
through three components J~, Q, and 77. At each clock l, the cipher generates one byte keystream, which we 
denote by Z[. 

The J r -component can be treated as a key schedule part of the GMR-2 cipher, it combines two bytes 
of the encryption-key with the previous output (a key-stream byte) to compute a 12-bit output. The 17- 
component is designed for mixing purpose, it is a linear function with 12-bit input and 12-bit output. The 
77-component is a nonlinear filter, it consists of two parallel DES S-boxes with 16-bit input and 8-bit output. 
The following subsections describe these three components in detail. 


r ] 



Fig. 1. Overall Structure of the GMR-2 Cipher 
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Fig. 2. The structure of ^-component 
Table 1. Definition of n and T 2 
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2.1 Components of the GMR-2 cipher 


^-component As the most interesting part of the cipher, the internal structure of ^-component is depicted 
in Fig. 2. The 8-byte encryption-key K = (K 7 , Kq , . . . , , Kq) is fed into a 64-bit resister and it is unchanged 
during the whole execution of the cipher. At each clock, the J-'-component selects two key bytes (one from the 
lower side and the other from the upper side) for further computation, and the procedure can be described 
formally as follows: 

Assume the cipher is executed at the Z-th clock, besides the 8-byte encryption-key K, the inputs of the 
J r -component also contain three variables c, t, and p, where c = l mod 8 is a counter ranging from 0 to 
7 sequentially and repeatedly, t = c mod 2 is a toggle bit, and p = (p 7 ,pe, ■ ■ ■ ,po) G {0, l} 8 is a feedback 
keystream byte that has already been generated in the last clock. We simply use p = Z;_\ to denote the 
keystream byte that was generated at the previous (the (l — l)-th) clock. The outputs of the J-’-component 
consist of an 8-bit O o and a 4-bit O i with the following definitions: 

f O 0 =(AVx(a) T 2 (Ti(a ))) 8 

\ Ox ={{{{K C © p) > 4)&0x0F) © ((K c © p)&0x0F)) 4 

where a is defined by 


a = J\f(t, K c © p) 


((K c © p)&0x0F)) 4 if t = 0 

(((K c © p) > 4)&0x 0F) 4 if t = 1 


(2) 
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Fig. 3. The structure of {/-component 



Fig. 4. The structure of "H-component 


and n : {0, l} 4 — > {0, l} 3 , r 2 : {0, l} 3 — > {0, l} 3 are two functions implemented via table-looksup as shown 
in Table 1 . 

{/-component Fig. 3 illustrates the structure of the {/-component, where B\ , £>2 , and £>3 are all linear 
functions, {/-component gets the outputs of the ^-component ( Oo and 0\) and one-byte state register 
So = {So, 7, So, 6 , • • • , So,o) as its inputs, and after a series of linear transformation, transposition, and XOR 
operations, it outputs two 6-bit outputs O' 0 and 0 \ , which can be expressed as follows: 

O'o = {Oo,7 © Ooa © So, 5, Oo,7 © Oo,6 © Oo ,4 © Sq,7, Oo ,7 © <Sb, 4 ; 

< Oo,5 © 5 o, 6) Ol,3 © Oi,i © Ol,o, Ol,3 © Ol,o)6 /Q\ 

O' I = (Oo ,3 © Oo,0 © 'S'o.li Oo ,3 © Oo,2 © Oo,0 © 'S'o, 3 : Oo,3 © So,0, 

, Oo,l © So, 2, Oi,2i 01,0)6 

^-component ^-component gets the two 6-bit outputs of the {/-component as its input. Fig. 4 shows 
the structure of ^-component which is composed of two 6-in and 4 -out S-boxes (82 and 86 ) used in DES 
algorithm. However, these two S-boxes have been reordered to account for the different addressing. Assume 
that the 6-bit input of the S-box is {x$, X4, x%, X2, x\, xo)2j for GMR -2 cipher, the most-significant 4 -bits 
(X5, x’4, X3, X2) determine the column index of the S-box while the least-significant 2 -bits (x\,xo) select the 
S-box row index. Finally, depending on the toggle-bit t , the output one-byte keystream can be defined by: 


Z, = 


(S 2 (0 / 1 ),S 6 (0')) 8 if t = 0 
(S 2 (Oo),S 6 (0 / 1 )) 8 if t = l 


( 4 ) 
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2.2 Mode of operation 

As mentioned in [4], we can now describe the mode of operation for the GMR-2 cipher. When the cipher is 
clocked at the l - tli time, the state of the GMR-2 cipher will be changed as follows: 

- The cipher generates one-byte keystream Zi based on the current value of the state-register S, the counter 
c and the toggle bit t = c mod 2. 

- The counter c is incremented by one, and when 8 is reached for c, c is reset to 0. 

- The state-register S is shifted by one byte to the right, thus Sj=S l+ i, for i = 0, 1, 2, . . . , 6, and Si=Z\. 
Meanwhile, p = S? = Z\ is passed to the ^-'-component as the input parameter for the next iteration (the 
( l + l)-th clock). 

The GMR-2 cipher is operated in two modes: the initialization mode and the generation mode. 


Initialization Mode. In the initialization phase, the following steps are performed: 

- The counter c = 0 and the toggle-bit t = 0. 

- The 64-bit encryption-key is written into the resister in the J r -component. 

- The state-register S is initialized with a 22-bit frame-number N according to a special rule, which is not 
detailed here as it is irrelevant with our attack. 

- After c, t, S have been initialized, the cipher is clocked 8 times, but the resulting keystream is discarded. 


Generation Mode. After the initialization is finished, the cipher is switched into generation mode to 
produce and output actual keystream bytes. We use Z^ to denote the Z-th keystream byte after initialization 
with the frame number N. For each frame number N, the cipher will operate 15 clocks and generate a 15- 
byte keystream. After that, the frame number N automatically increases by 1 and the state-register is 
re-initialized with the new frame number, and then the cipher will generate another 15-byte keystream. 
Assuming the frame number starts from 0, the actual keystream Z l is made up of blocks of 15 bytes that 
are concatenated as follows: 



Z 


(0) 

1 ! 


7 -( 0 ). 7(1) 7(1) 

• • 1 ^14 > -°o 


7(1). 7(2) 

' ^14 i ^0 > 


( 5 ) 


3 Inverse Properties of the GMR-2 Cipher’s Components 

The GMR-2 cipher consists of three components, in which the ^-'-component plays a role of key schedule, the 
^-component acts as a linear transformation, and the 74-component implements a nonlinear transformation. 
Both the cryptanalytic methods proposed in [4, 13] originate from the forward analysis of the GMR-2 cipher, 
whereas our proposed inversion attack is inspired from the backward analysis, i.e., we try to reverse the 
encryption procedure to deduce the encryption-key from the output keystream directly. Thus in this section, 
we will first study the inverse properties of the three components which are related to our later analysis. 


3.1 Inverse Property of the 74-component 

74-component is parallelly composed of two S-boxes, and it selects the column and row indices of the two 
S-boxes through the toggle-bit 4, as show in Eq. 4. In fact, We can extract the relationship between the 
input (Oq, 0\ ) of 74 and the output Z[ of 74 (the keystream byte) by “inverting” the two S-boxes. Thus, we 
have the following proposition: 

Proposition 1 For 74- component, if the row index and the output of an S-box are known, the column index 
can be uniquely determined; If only the outputs of both S-boxes are known, there will be 4 x 4 = 16 different 
corresponding row/column indices. 
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3.2 Inverse Property of the ^-component 

Assume the shift register So is known, then ^-component can be represented by an affine transformation. 
We focus on how to extract the inputs Oo and O i off?, given the output O' 0 and 0\ along with So- According 
to [13] and Eq. 3, the link 1 between the input and output of the ^-component can be expressed by 


f Vi = W\ ■ xi 0 Q' • v 
\y 2 = W 2 - x 2 


where 


and 


W i = 



w 2 


( B),Q ' 


c 0 \ 

0 C ) ’ 


/100 1\ 


/ 101 1 \ 


/oo 1 0 \ 


/0000\ 

110 1 

B= 

100 1 



1000 

,0= 

0000 

1000 

0 100 

5 ^ — 

000 1 

0000 

Vooio^ 


\000 l) 


Voioo^ 


\0000/ 


Vl — (^ 0,55 ^ 0 , 4 ) ^ 0 , 3 > ^ 0 , 2 ) Ol,5’ ^ 1 , 4 ) ^ 1,3 > ^ 1 , 2 ) 

U-2 = (Of),l5 00,0) O'h, O'i o) 


' rp 

x l = ( 00 , 7 ^ 00 , 6 ) 00 , 5 ) 00 , 4 ) 00 , 3 ) 00 , 2 ) 00 , 1 ) 00 , 0 ) 

< *2 = (01,3) 01,2) 01,1) 01, o) T 

V = (So, 7) So, 6) So, 5, So, 4, So, 3, So, 2) So,l, So,o) T 

Iii the above formulas, X\ , x 2 and v are used to represent O 0 , Oi and So, which is the input of Q, 
and ( 2 / 1 , y 2 ) is used to represent a simple permutation of (0^,0^) which is the output of Q. By carefully 
observing the "H-component, we can see that 1/1 corresponds to column indices of the two S-boxes, and y 2 
corresponds to row indices of the two S-boxes. 

Now if we treat 2 / 1 , y 2 and v (thus O' 0 , O^, and So ) as known values, while x\ and x 2 (thus Oo and 
Oi) as unknown variables, the first/second formula in Eq. 6 can be regarded as a system of linear equations 
with 8/4 variables. Since both A and B are invertible matrices, we get 


where 


( xi = W 1 1 • 2/i 0 Q • v 

\x 2 = W 2 1 • y 2 


W?= 


( A - 1 0 
V 0 A' 1 


Wi 1 = {B- 1 ),Q= W^-Q 1 



(7) 


/OO 10\ 


/0 1 0 1\ 


/0 00 l\ 

1100 

,B- l = 

00 10 

\— 1 c< 

10 10 

000 1 

110 0 


0 100 

Vioio^ 


\000 l) 


\0 0 1 1/ 


Therefore, we have the following proposition: 

Proposition 2 For Q -component, ifO' 0 , 0' x and So (thus y x , y 2 and v) are known values, then Oo and Oi 
(thus x\ and x 2 ) can be calculated directly from Eq. 7. Specifically, Oo (thus x\) is uniquely determined by 
2 /i, and Oi (thus x 2 ) is uniquely determined by y 2 . 


1 Note that the definition of the variable v in Eq. 6 in this paper is different from the one in Ref [13]. In fact, Q' ■ v in this 
paper is equivalent to vi as defined in Ref [13]. 
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3.3 Inverse Property of the ^-component 

T is the only component that relates to the original encryption-key bytes, thus it is critical for us to analyze. 
At each clock, ^-component selects K c and K T] ( a \ for further computation. K c is simply selected by the 
counter c, while K Tl t a ) is selected by the subscript ri(a) which can be determined according to Eq. 2 and 
Table 1. 

The inverse analysis of the J r -component aims at deducing the above two selected key bytes from the 
known output (Oo, 0\) and the feedback byte p. Rewriting the second formula of Eq. 1, K c can be expressed 
by 0\ and p as follows 

K c ,7 © A C) 3 =Oi i3 © P 7 © p 3 

< K C fi ® K Ct 2=0± t 2 ®P6 © P2 /g', 

Kc,5 © Ac, 1=01,1 ®P5 ©Pi 
, Re, 4 ffi Ac,0=Ol,0 ® PA ffi PO 

For simplicity, let’s denote 

' k h = (K cJ , K c fi, R c , s, K cA ) t 
< ki = (K cA , K Ct 2, K cA , K C)0 ) t 
Ph = ( P7,P6iP5,P4) T 
. Pi = ( P3,P2,Pi,Po) T 

then Eq. 8 becomes 

k h ®ki = 0 1 ®p h ®p l . (9) 

Therefore, for i = 0, 1,2,3, when ()\ tl ® pi + 4 ® pi = 0, the candidate for (if C) j + 4 , K c ^) is selected from 
{(0, 0), (1, 1)}, and when ()\^ ® pi + 4 ® p % = 1, the candidate can be only selected from {(0, 1), (1, 0)}. This 
implies that given 0\ and p, Eq. 8 has 16 solutions for K c . 

Similarly, rewriting the first formula of Eq. 1, K T] ( a \ can be obtained from Oq by 

K n{a) = O 0 r 2 (ri(a)), (10) 

where a is related to K c and p, and can be calculated on the basis of the Eq. 2. That is to say, we can get 
the value of a through p and the most/least-significant d-bits of K c . This leads to the following proposition: 


Proposition 3 For T -component, if O \ and p are known, then all possible values of K c can be narrowed 
down from 2 8 to 2 4 according to Eq. 8; IfOo, p, and K c are known, the input key byte K Tl t a \ can be uniquely 
retrieved by Eq. 10. 

Now we have obtained three inverse properties of GMR-2 cipher’s components as described in Proposition 
1, 2, 3. At the end of this section, let’s briefly discuss the links among these inverse components as depicted 
in Fig. 5. Given the start point - a keystream byte zj N ^ at the Z-th clock with frame number TV, and assume 
the feedback byte Sq and p is known. Then through 7T~ 1 -component, 16 possible values of ( O' 0 ,O[ ) will 
be obtained. This is followed by passing through CR 1 -component, which results in 16 different values of 
(OoiOi)- And finally after F ~ 1 -component, each (CRCM will deduce 16 candidates for (K c , K Tl ^ a \). In 
total, one can obtain at most 16 x 16 = 256 possible values for (K c , K Tl ( Q \). The detail analysis will be 
described in the following section. 
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Related to the row indices K , =(**»*/) 

Related to the column indices and O' 0 P = (Ph, Pi) 
Related to the column indices and 0\ 


Fig. 5. Links among the Three Inverse Components 


4 Inverse Properties of the GMR-2 Cipher 

In this section, we will analyze how these three inverse components interact with each other and show the 
links between the keystream bytes and the original encryption key bytes. 

Given a frame number N. let sf > denote the state of S t at the Z-tli clock and Z^ N ^ denote the keystream 
byte at the 1-th clock with IV-th frame in the keystream generation phrase, then for 8 < l < 14 we have 

« “d P = 

which demonstrates that Sq is equal to the keystream byte generated 8 clocks before, and p is equal to the 
last keystream byte. Hence, for 8 < l < 14, both Sq and p are known to us, so is the vector v as previously 
defined. To this end, we only focus on the cipher at the (c + 8 )-th clock with 0 < c < 6 in the following 
analysis. The main results are the following two theorems. 

Theorem 1 . At the (c + 8 )-th clock with 0 < c < 6 , if K c is known, then the corresponding encryption-key 
byte K T] ( q ) can be uniquely determined by the current keystream byte ^+8 • 

Proof. Since p is known at the (c+ 8 )-th clock, from Eq. 2, knowing K c can help us to calculate a , as well as 
ri(a) and t 2 (ti{o)) via looking up Table 1. Meanwhile, Oi (thus * 2 ) can be obtained from Eq. 1, based on 
which y 2 can be calculated from Eq. 6 . Due to Proposition 1, y± which corresponds to the column indices 
for the two S-boxes can be uniquely determined from and the row indices y 2 . Consequently, the value 
of Oo can be uniquely determined by Proposition 2. At last, with the help of Proposition 3, it T i(a) can be 
calculated definitely from Oo, K c and p. □ 

Theorem 2. At the (c + 8)-th clock with 0 < c < 6 , each keystream byte ^+8 ea:ac % corresponds to 256 
possible values of the triple (K c , /P ri ( Q ), ri(a)), where K c is ranged from 0 to 255. 

Proof. First, according to Proposition 1 and Proposition 2, each keystream byte corresponds to 16 

different Oi, and for each Oi, Proposition 3 further indicates the existence of 16 different candidates for K c . 

Next, by contradiction, we can prove that the candidates for K c obtained by different Oi will be different 
from each other. That is to say, assuming that O) 7 ^ ()\ holds, one can declaim that the candidates K c 

and Kc that are derived from and Of must be different. Otherwise if K c : v = Kf , then Eq. 1 indicates 

(i) (i) 

Of = 0\ , which contradicts the hypothesis. 
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The above two steps demonstrate that each keystream byte ^+8 exactly corresponds to 256 values of 
K c . Moreover, through Theorem 1, T\{a) and K Tl ^ can be further uniquely obtained from the K c and 

-^c+8’ which completes this proof. □ 

Theorem 2 tells us that each g with 0 < c < 7 can deduce several triples (K c , K T1 ^, ri(a)). Next, 
let’s discuss how these triples can be further used to get new information on K. Here we list two rules that 
are very crucial for our attack. 

Rule 1 Given one triple (K c , K Tl (a),ri(a)) corresponding to the keystream byte Z^g with 0 < c < 6, if 
Ti(a) = c , we can compare K Tl ( a ) with K c : 

— If K c = K T] , it indicates that such K c can be regarded as a candidate; 

— If K c / K T{ ( q ) , it means that such K c cannot be a candidate, and should be discarded. 

Rule 2 Given two triples [K m , K T1 ( am ), ri(a TO )) and (K n , K T1 r an \, Ti(a n )) which correspond to Z^ 8 and 
Z ^_ g with 0 < m / n < 8: 

— If r i (a n ) = m, we can compare K T] ( a \ and K rn : 

• If A" Tl ( Q , n ) = K m , it indicates that such (K m ,K n ) can be regarded as a candidate; 

• If A" Tl ( an ) / K m , such (K m ,K n ) cannot be a candidate, and should be discarded. 

— If T\{a n ) = Ti(a m ), we can compare K Tl ( an ) and K r 1 {a m )'- 

• If A" T1 ( aii ) = A' T1 ( Qm ), it indicates that such (K m ,K n ) can be regarded as a candidate; 

• If A" T1 ( aii ) / A' ri ( am ), such (K m . K n ) cannot be a candidate, and should be discarded. 

5 The Real-time Inversion Attack on the GMR-2 Cipher 

In this section, we present a very efficient and practical attack against the GMR-2 cipher with low time and 
data complexity. We call this attack the real-time inversion attack. 

5.1 An Overview of the Inversion Attack 

As shown in Fig. 6, we first brieffy explain the inversion attack procedure, which is divided into the following 
three phases: 



Fig. 6. An overview of the inversion attack procedure 
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Fig. 7. The Table Generation Procedure 


Phase 1: Table generation. Intercept a certain number of keystream bytes (usually only one frame is 
enoough), then adopt Theorem 2 to generate the 7 lists which map the keystream bytes at the (c + 8)- 
th clock with 0 < c < 6 to the original key bytes. Meanwhile, build a virtual list for the 8-th original key 
byte. We refer these lists as tables. 

Phase 2: Dynamic table looks-up, filtration and combination. Look up the tables (8 lists) generated from 
Phase 1 to obtain candidates for encryption key bytes, adopt Rule 1 ~ 2 to further filter these candidates, 
and combine these key bytes that agree with the filter condition and store them in a list. Meanwhile, discard 
those that do not satisfies the constraints, and backtrack to a proper start-point for new table looks-up. 
Repeat the steps of table looks-up, filtration and combination until all the candidate keys that meet the 
constraints of Rule 1 and 2 are found. 

Phase 3: Verification. Verify the correctness of those candidate keys obtained in Phase 2 via the intercepted 
keystream bytes (usually the first 8 bytes of a frame is enough), discard all wrong 8-byte encryption- keys. 


5.2 Phase 1: Table Generation 

Without loss of generality, assume the frame number of the keystream bytes is N = 0, and let (Zq*\ Z^\ - - - , 
) denote the known 15 bytes of keystream. To assure that the values of p and Sq = v are known, we 
analyze the cipher at the (c + 8)-th clock with 0 < c < 6. 

According to the mechanism of GMR-2 cipher, each keystream byte Z ^}. g is related with 



/V 


l(a) i 7J (o) , P, 


(c+8) 


Kc , K Tl ( Q ) , Ti (a) , zj® 7 ,zf\c mod 2 


which means that a mapping between ^Z^ 8 , Z^ 7 , Zc ° ^ and (K c , K T1 ( a ), ri(a)) can be established in case c 
is known. Thus, from the known keystream ^Zy°\ z[°\ • • • , Zyf'j , we can obtain 7 groups of (^Z ^ 8 , Z^ 7 , Z^ 

with 0 < c < 6, and each group can be used to build 256 possible values of triple [K c , K Tl / a ^ Ti(a)) based 
on Theorem 2. 

To make a better explanation, one can refer the table generation procedure in Fig. 7. During this phase, 
for each group of (z^ 8 , Z^ 7 , Zc ° ^ with 0 < c < 6, the following steps are performed: 


1. Look up the two S-boxes to obtain the 16 values of (y 1 , y 2 ) through the keystream byte z^+8 an< ^ 
toggle-bit f; 
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2. Calculate the corresponding values of (* 1 , 2 : 2 ) via Eq. 7 for a given (y 1 , y 2 ) from step (1), this also 
corresponds to Oq and 0 1 ; 

3. Find 16 different values of I\ c for a given 0\ according to the Eq. 8, and then get the related values of 
K t i( a ) and ri(a) according to Theorem 1, which yields 16 triples (K Cl A" ri ( a ), ri(a)); 

4. Repeat step (2) and step (3) for 16 different values of (y 1 , y 2 ), thereby yield 256 triples (K c , ii ri ( Q ), n («)) 
that are stored in a list denoted by C c in which K c is sorted in ascending order. 

It should be noted that the above table generation procedure cannot deduce any more information for 
the 8-th original key byte K7 from the known keystream ^Zq°\ Z^\ ■ ■ ■ , Z^^j , i.e., we can only assume 

that the candidates for Kj ranges from 0 to 255, but the corresponding values of K ri (a) and ri(a) are not 
available. Thus we build a virtual list for Kj ranging from 0 to 255 but with empty values for K T] ( a \ and 
T\{a). In total, we generate 8 lists and each list is stored with 256 triples. These 8 lists are denoted by 

{An A, £ 2 , £ 3 , £ 4 , £ 5 , An £ 7 } • 

5.3 Phase 2: Dynamic Table Looks-up, Filtration and Combination 

Now we have generated 8 lists from Phase 1, however, if we simply try exhaustive search using these 
list without any strategy, there will be no advantage compared with the brute force attack. Thus, before 
describing our proposed inversion attack strategy, we first introduce the following two concepts “key chain” 
and “valid key chain” based on the 8 lists generated from Phase 1. 

Definition 1. (Key Chain) A sequence of ordered key bytes 

((£) Ki 1 ) , (?2 ) K { 2 ) ) ■ ) ( ii 1 Ajj ) ) , 

where ij is the index (subscript) for Ki j (1 < j < l), is called a key chain with length of l bytes if it satisfies 
the following condition: for every 1 < m < l — l, there exists a list Li m such that (Ki m , Ki m+1 , i m +i) G £» m . 
For convince, we simply use 

Ikj ] - V Ki 2 t • • • y Kii 

to denote this key chain, where K lx is the starting node and K q is the ending node. 

Definition 2. (Valid Key Chain) A key chain Rq — > Ki 2 —>■■■—> K Zl with length of l bytes is called a 
valid key chain if it satisfies one of the following conditions: 

1. There exists an index ij G {A, A ■ ■ ■ , i{\ such that (K^, K^, ij) G A ( ; 

2. ii = 7 and there is no other valid key chain that contains the 8-th key byte K 7 ; 

3. There already exists a valid key chain with length of n bytes: ify — > Ky^ —>■•••—>■ Ky n , meanwhile, there 
exists an index ij G {i{, i' 2 , • • • ,i' n } such that ( K , Kj ;j ,ij ) G £,; ( . 

Example Given a key chain with length of three bytes: ifq -a- K V2 — > iv,; 3 , the following three cases imply 
three kinds of valid key chains: 

- there exists an index ij G {*i, * 2 , ^ 3 } such that (iCj 3 , K^fij) G A 3 , as show in Fig. 8(a) 

- = 7 and there is no other valid key chain that contains K-j, as show in Fig. 8(b) 

- there already exists a valid key chain with length of two bytes: K.^ — > K ,^ , meanwhile, there exists an 
index ij G [i\ , * 2 } such that (Kj 3 , K tj , ij) £ £j 3 , as show in Fig. 8(c) 

According to the definition, for GMR-2 cipher, the minimum length of a valid key chain is one byte, 
meaning the key byte is associated with itself. While the maximum length is eight bytes, meaning all the 
eight key bytes are connected in one chain. Moreover, all valid key chains must be disjoint with each other. 
Therefore, an 8-byte encryption-key can be divide into at most 8 valid key chains, each containing just one 
key byte, or at least 1 valid key chain, containing the whole 8 key bytes. 
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Fig. 8. The Diagram of the Links for Valid Key Chains in the Example 
Table 2. Definitions of the variables and candidate sets 


Variable 

Definition 

Initialization 

n 

The (i — 1) valid key chains obtained before: 

TZ = ( 71 , 72 , - " , 7»— i}- 

0 

A 

The key chain currently being looked up: 

A = 7 ; = ->■ 

0 

r = {r 1 ,r 2 } 

The set of indices(subscripts) for the key bytes that has been 
obtained by table looks-up, where A corresponds to the key 
bytes in 1Z, and A for key bytes in A. 

0 

KC 

The candidate set of the complete 8-byte encryption-keys. 

0 

(c, K c ) 

Query point, querying the K c - th row in the c-th list C c , 
it is also used as the control parameter for ending Phase 2. 

(0,0) 


Main Idea of Phase 2. Using the concept of valid key chain, Phase 2 can be described as “dynamically 
seeking all valid key chains (that accord with Rule 1 and 2 by table looks-up and the filtration) and combining 
them to form candidates for the complete 8-byte encryption key”. Let’s define three candidate sets 1Z, A 
and KC, an index set r and a query point ( c,K c ) as in Table 2. Using these symbols, and referring Fig. 
9, the second phase of the inversion attack can be briefly explained as follows: (For the detail of the attack 
procedure of Phase 2, one can refer Algorithm 1 and 2.) 

1. Choose a starting node (query point) (0, Kfi), and for each possible value of Kq (ranging from 0 ~ 255), 
dynamically lookup the table (8 lists obtained from Phase 1) in a serialized manner to build up a key 
chain A, and store the indices (subscripts) for the key bytes obtained in A into the set Ay Once A 
becomes “valid” through the filtration, treat A = 71 as the first layer of the valid key chain, and store 
the key bytes of the chain as well as their indices (subscripts) into 7Z, and copy these indices (subscripts) 
into U] . 

2. Choose a new starting node ^min (F) , where min (U) is the minimum subscript for the key 

bytes (K 0 Ky) that have not been obtained before (through table looks-up), and for each possible 
value of such key byte (also ranging from 0 ~ 255), continue to dynamically lookup the table and do the 
filtration to build up an ?'-th layer of a valid key chain A = 7* with 1 < i < 8. Similarly update the sets 
P = {71,72, • • • ,7 i}, A and P 2 . 


A Real-time Inversion Attack on the GMR-2 Cipher 


13 


The length of each valid key chain 
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@ The starting node of a valid key chain, 
which is also the backtracking point. 

O The middle node of a valid key chain 
£ The ending node of a valid key chain 

Note: All nodes are distinct from each other. 


Fig. 9. Dynamic Combination of Valid Key Chains in Phase 2 (The number of valid key chain layers as well as the length of 
each valid key chain are dynamically changed.) 



A: (c,K c ) - (r, (a, ) , -^ r| ( K[ )) * ( T i( a 2 )’ ^r,(« 2 )) ” K t ,(a 5 )) 

Fig. 10. The Procedure of Dynamic Table Looks-up in Phase 2 


3. Check whether all valid key chains in 1Z exactly cover the whole 8-byte encryption-key, if so, combine 
these valid key chains, keep them in KC, and backtrack to the starting node of A to find a new valid 
key chain (in order to find new candidate keys), else go back to (2). 

4. Repeat Step 1 ~ 3 until all the candidate 8-byte encryption-keys are obtained. 


How to dynamically lookup table to build up a key chain? Refer Fig 10, given a query point 
(c,K c ) as the starting node of a chain A, c points to the list C c , which is then used by the adversary to 
look up in order to get [K Tl r ai \, ri(ai)) that corresponds to its row value K c . This is followed by a second 
similar procedure, at this point, we have obtained a middle node (ri(ai), K T] („,)) , then ri(ai) points to the 
list £ Tl ( ai ), which indicates a new result (K Tl ( a2 yTi(a 2 )) by looking-up its row value K Tl ^ ai y Repeat this 
process, we can further get the next middle nodes (K Ti ( a3 ) , Ti(as)) • • • through the list £ Tl ( a2 ) " '■> thus we 
will obtain a key chain 


_) ( C ,K c ) y (t] (o 1 ) , R ri (o;! ) ) t (Tf (02) 5 -^ri(cti)) ^ (t"1 (^3) , (03)) 

which is then passed to the filtration procedure to check whether it is valid key chain. 
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How to do the filtration to get a valid key chain? The purpose of the filtration is to check when the 
key chain obtained through the table looks-up will be a valid key, this can be done by applying Rule 1 and 
Rule 2 to discard the inconsistence cases. Moreover, during the filtration, we need to do the following extra 
backtrack steps: 

— If the ending node of a key chain disagrees with the constraints of Rule 1 and Rule 2, such chain would 
not form a valid key chain, then one should backtrack to the starting node of the current key chain 
A = t i, update T2 <— 0, A <— 0, set a new value for this starting node (as the query point), then do a 
similar procedure of dynamically table looks-up, filtration and combination. 

— If the starting node of A = 7* goes beyond the range of 0 ~ 255, we backtrack to the starting node of 
the (i — l)-th layer of the valid key chain 73 _i in 1Z, and do a similar procedure. Repeat such procedure 
until we backtrack to the first layer of the valid key chain 71. If the starting node of 71 is out of the 
range of 0~255, which indicates that all the valid key chains have been found, then we stop the Phase 
2 of the inversion attack. 


Algorithm 1 Inversion Attack: Phase 2 (Part I) 

Input: keystream-related lists {Co, £ 1 , C 2 , £ 3 , £4, £ 5 , ^6, C~{. 

Output: key candidate set KC. 

Initialization: 1Z <— 0;/l <— 0;A «— 0;(c, K c ) <— (0, 0); KC <— 0. 

repeat 

(n(a), A' ri(a )) <- LookUpTable(c, K c ,£ c )-, 

if Ti(a) £ F then /* Given that the Ti(a)-th key byte A' T1 ( a ) has already existed in the candidate sets, do 
the filtration using Rule 2 */ 

if (ri(a), A' ri («)) £ A or (ri(a), /i T1 ( a )) belongs to a certain valid key chain oflZ then 
r 2 V- r 2 U {c}; A «- A U {(c, Kc)}-, 

( c,K c ) ■(— Combine(Z\); /* The valid key chain obtained at this time agrees with the property (i) or 
(iii) of Definition 2. */ 

else 

| (c, A' c ) <— BackTrack(Zi); 

end 

else 

if n(a) == c then 

if A' ri (a) —= K c then /* Do the filtration using Rule 1. */ 

r 2 <r- r 2 U {c}; A <- A U {(c, A c )}; 

(c, A c ) «— Combine(Zi); /* The valid key chain obtained at this time agrees with the property (i) 
of Definition 2. */ 

else 

| (c, A c ) <— BackTrack(Zi); 

end 

else 

if Ti(a) == 7 then 

r 2 «- r 2 U {c, 7}; A ^ A U {(c, K c ) , (7, A' 7 )}; 

(c, A c ) 4 — Combine)/!) ; /* The valid key chain obtained at this time agrees with the property 

(ii) of Definition 2. */ 

else /* Continue to find the next node of the current key chain. */ 

AU{{c,K c )}- 

(c, Ac) (n(a), A T1 (a)); 

end 

end 

end 

until K c > 255 and c = 0; 
return AC; 
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Algorithm 2 Inversion Attack: Phase 2 (Part II) 

Function Combine (zA) /* Combine a valid key chain or the whole 8 -byte key, and return the new starting point 
(query point) of a new key chain. */ 

1Z <— 7Z U {zi}; Pi <— Pi U P 2 ; 

if Length(Fi) == 8 then /* In this case, we have obtained a complete 8 -byte candidate key, thus we save 
it in KC and backtrack to the starting node to build up another candidate key. */ 

KC <— KC U 1Z\ 
n^TZ-{A}-, A «-a -r 2 ; 

(c,K c ) <— BackTrack(A); 

else /* If not, we seek the next valid key chain. Here, P denotes the set of indices (subscripts) for the 
key bytes that have not been obtained before. */ 

(c, K c ) <— (min (P) , 0) ; 

end 

P 2 <- 0; .A <- 0; 

return ( c,K c ); 

end 

Function BackTrack(zl) 

( c,K c ) <— StartingNodeOf(Z\) ; /* Backtrack to the starting point of current key chain 7 ;. */ 

K c -(— K c + 1 ; /* Update the key value of the starting node of 71 . */ 

if K c > 255 then 
if c = 0 then 

return (c, K c ); 

end 

A <— 71 - 1 ; P 2 SubscriptOf(A); /* Update the current key chain. */ 

K <- K - {zl};Pi <- Pi - P 2 ; 

(c, K c ) BackTrack(zi); /* Backtrack to the starting node of the previous valid key chain 71 - 1 . */ 

end 

P 2 <- 0; A <— 0; 

return (c, A' c ); 

end 


5.4 Phase 3: Verification 

To exclude wrong candidate keys, Phase 3 tests the candidate keys stored in KC one by one, using the 
first 8 bytes Z^\ • • • , Z of the known keystream. For each candidate key, the following steps are 

performed: 

1. Fulfill the key register K with the candidate key, and initialize the shift register S with the known frame 
number; 

2. Clock the cipher 8 times for initialization, and obtain the next 8 bytes keystream; 

3. Compare this calculated keystream with the corresponding 8-byte of the intercepted known keystream. 
If they match, the correct key is found, otherwise, this candidate key is discarded. 

6 Experimental Results and Complexity Analysis 

In order to verify our proposed attack, in this section, we do some experiments and give the complexity 
analysis. 

6.1 Experimental Results 

We carried out 10000 experiments on a 3.3GHz plantform for GMR-2 cipher with random frame numbers 
and keys. Our results demonstrate that the retrieved encryption-key may not be unique for a known 15- 
byte keystream at some cases. In other words, there exist multiple encryption-keys corresponding to the 
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Fig. 11. The frequence distribution of the number of candidate keys (The numbers on horizontal axis are in thousand times, 
and each interval contains the left value.) 



Time / ms 

Fig. 12. The frequence distribution of attack time 


same 15-byte keystream, and these encryption-keys usually differs one byte from each other. More precisely, 
each 15-byte keystream indicates 1.03 encryption-keys on average, in which approximately 97.2% of the 
keystreams indicate a unique encryption-key, and the remaining 2.8% keystreams indicate multiple (at most 
four) encryption-keys. Thus, to overcome this problem, one additional keystream byte of another frame 
is needed in these cases, which means that 9 bytes of keystream are totally exploited in the third phase. 
Therefore, plus one frame of keystream leveraged in Phase 1, the required number of keystream bytes for 
the whole attack is 15 ~ 16. 

To make a better comparison, the frequence of candidate keys in Phase 2 for each attack are counted 
with average number 7755 and the distribution is shown in Fig. 11, which shows that one needs to verify 
7755 times on average during Phase 3. Meanwhile, the consuming time for each attack are also counted with 
distribution shown in Fig. 12, which shows that the 8-byte encryption-key can be deduced in around 0.02s 
on average, where 0.08ms is consumed to generate the table, 3.37ms are consumed to verify the candidates 
and the rest 16.55ms are consumed by Phase 2. 

We also point out that if we perform the forward verification each time an 8-byte candidate key is 
combined during Phase 2, which means alternating Phase 2 and Phase 3 at the same time, then once an 
8-byte candidate key passes the forward verification of the 9 bytes of keystream, the attack can be stopped, 
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Fig. 13. Optimized inversion attack procedure 


in this case, we can accelerate the inversion attack. This optimized inversion attack shows that the average 
number for verifying is reduced to 3980 and the time consumed is about 0.01s on average. The optimized 
attack procedure is depicted in Fig. 13. 

6.2 Complexity Analysis 

Time complexity analysis. The time complexity of our inversion attack consists of the time of table gen- 
eration, dynamic table looks-up and filtration as well as the verification. This can be analysed from the 
experimental statistics. But for convince, we just focus on the exhaustive search space. As we do verification 
for 7755 ~ 2 13 times on average, the exhaustive search space is thus about 2 13 , which could be further 
reduced to 3980 ~ 2 12 on average when adopting the optimized attack. 

Data complexity analysis. The data complexity of our attack is 15 ~ 16 bytes of keystream. In 10000 
experiments, approximately 97.2% of the encryption-keys can be uniquely determined by the 15 bytes of 
keystream, and the rest (about 2.8%) cases need an extra keystream byte. Thus, 15 x 97.2% + 16 x 2.8% ~ 
15.03 bytes of keystream are needed to distinguish the right encryption-key from the 2 13 candidates on 
average. 

Memory complexity analysis. The memory complexity of our attack stems mainly from the table (8 lists) 
generated in Phase 1. Since each list is filled up with 256 triples (K c , K ri ( a \, ri(a)), our attack needs about 
256 x 3 x 8 Byte = 6K Bytes of storage space. 

7 Conclusions 

In this paper, we propose a very efficient, real-time inversion attack against the GMR-2 cipher. It can retrieve 
the complete 8- byte encryption- key from only 1 frame (15 bytes) of keystream on average, the exhaustive 
search space can be reduced to about 2 13 and the memory complexity is 6KB. 

Table 3 is the comparison between the known cryptanalytic results and ours, from which we can see 
that the inversion attack proposed in this paper possesses evident superiority compared with the dynamic 
guess-and-determine attack and the read-collision based attack. Given one frame (15 bytes) of keystream, 
one can break the GMR-2 cipher with only 0.02s on a 3.3GHz platform. This again demonstrates that there 
exists serious security flaws in the GMR-2 cipher, and it is crucial for service providers to upgrade the 
cryptographic modules 2 of the system in order to provide confidential communication. 

2 Note that the GMR-2 cipher is currently being used in the “IsatPhone Pro” satellite phones. 
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Table 3. Cryptanalytic results on the GMR-2 cipher 


Method 

Data 

Brute Force Space 

Memory 

Average Time 

Read-Collision Based Technique [4] 

15 ~ 20 frames 

2 10 

~ 

- 

Read-Collision Based Technique [4] 

4 ~ 5 frames 

2 18 


- 

Dynamic Guess-and-Determine [13] 

1 frame 

2 2S 


280s A 

Inversion Attack (This Paper) 

1 frame 

2 13 

6KB 

0.02s a 

Optimized Inversion Attack (This Paper) 

1 frame 

2 12 

6KB 

0.01s a 


▲ : Experimental plantform: 3.3 GHz platform; Number of experiments: 1000 
A: Experimental plantform: 3.3 GHz platform; Number of experiments: 10000 
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